Re: More fun with Access Lists [7:20477]

Wed, 19 Sep 2001 18:16:37 -0700 

Don't really want to talk about access lists :-)

But this is a simple test really.......

access-list 10 deny 192.168.100.128 0.0.0.127 = deny 128-255
access list 10 deny 192.168.100.112 0.0.0.15  = deny 112-127
access-list 10 deny 192.168.100.104 0.0.0.7 = deny 104-111
 access-list 10 deny 192.168.100.100 0.0.0.3  = deny 100-103
 access-list 10 permit any any = permit everything else

results in deny 192.168.100.0 0.0.0.255
or the entire Class C of 192.168.100.0
and let everything else through

access-list 10 permit 192.168.100.0 0.0.0.63  = permit 0-63
 access-list 10 permit 192.168.100.64 0.0.0.31 = permit 64-95
 access-list 10 permit 192.168.100.96 0.0.0.3 = permit 96-99
 access-list 10 deny 192.168.100.0 0.0.0.255 = deny 0-255
 access-list 10 permit any any = permit everything else

results in permitting 192.168.100.0 to 192.168.100.99
denying the rest of the Class C, specifically 192.168.100.100 -
192.168.100.255
and let everything else through

so no, they're not the same

So what you have here is a lesson that ACLs work from top down and stop at
the first match.

In the first set, all the statements are "deny" which accumulate to deny the
entire Class C

In the second set you're permitting 0-99 and then the rest of the Class C is
denied.

So, even though #1 is equivalent to:

 access-list 10 deny 192.168.100.0 0.0.0.255 (which appears in set #2 which
is probably the "trick")

#2 has those permits that get processed first.


Kevin Wigle



----- Original Message -----
From: "Dennis Laganiere" 
To: 
Sent: Wednesday, 19 September, 2001 20:38
Subject: More fun with Access Lists [7:20477]


> Are these the same, and what do they do?  Anybody want to talk about
access
> lists?
>
> access-list 10 deny 192.168.100.128 0.0.0.127
> access list 10 deny 192.168.100.112 0.0.0.15
> access-list 10 deny 192.168.100.104 0.0.0.7
> access-list 10 deny 192.168.100.100 0.0.0.3
> access-list 10 permit any any
>
>
> access-list 10 permit 192.168.100.0 0.0.0.63
> access-list 10 permit 192.168.100.64 0.0.0.31
> access-list 10 permit 192.168.100.96 0.0.0.3
> access-list 10 deny 192.168.100.0 0.0.0.255
> access-list 10 permit any any




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=20478&t=20477
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Reply via email to